IPSec配置

案例配置拓扑

案例拓扑需求

1. R1和PC1模拟分公司，R2和PC2模拟总公司，配置分公司和总公司通过IPSec VPN互联.
2. 设备之间互联的IP如图所示；
3. 在R1和R2上分配配置NAT，允许内网用户能够通过NAT访问Internet；
4. 在R1和R2上分别配置IPSec VPN，实现分公司和总公司互访；

案例配置思路

根据拓扑配置IP地址

R1

Router#conf ter
Router(config)#hostname R1
R1(config)#int fa0/1                  
R1(config-if)#ip add 13.1.1.1 255.255.255.0
R1(config-if)#no sh
R1(config-if)#int fa0/0
R1(config-if)#ip add 192.168.1.1 255.255.255.0
R1(config-if)#no sh

R2

Router#conf ter  
Router(config)#hostname R2
R2(config)#int fa 0/1
R2(config-if)#ip add 23.1.1.2 255.255.255.0 
R2(config-if)#no sh

R3

Router#conf terminal 
Router(config)#hostname ISP
ISP(config)#int fa 0/0
ISP(config-if)#ip add 13.1.1.3 255.255.255.0
ISP(config-if)#no sh
ISP(config-if)#int fa0/1
ISP(config-if)#ip add 23.1.1.3 255.255.255.0
ISP(config-if)#no sh
ISP(config-if)#exit
ISP(config)#int lo0     
ISP(config-if)#ip add 3.3.3.3 255.255.255.255

PC1

Router#conf ter
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#hostname PC1
PC1(config)#no ip routing 
PC1(config)#int fa 0/0
PC1(config-if)#ip add 192.168.1.2 255.255.255.0
PC1(config-if)#no sh
PC1(config-if)#exit
PC1(config)#default gateway 192.168.1.1 

PC2

Router#conf ter
Router(config)#hostname PC2
PC2(config)#no ip routing 
PC2(config)#int fa 0/0
PC2(config-if)#ip add 192.168.2.2 255.255.255.0
PC2(config-if)#no sh
PC2(config-if)#exit
PC2(config)#default gateway 192.168.2.1

在R1和R2上配置NAT

R1

/配置ACL，对IPSec VPN的流量不做NAT/
R1(config-if)#access-list 100 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
R1(config)#access-list 100 permit ip any any  

//设置内外口
R1(config)#int fa 0/0
R1(config-if)#ip nat inside 
R1(config-if)#int fa f0/1
R1(config-if)#ip nat outside 

R1(config)#ip nat inside source list 100 interface fastEthernet0/1 overload 

//ip nat inside source list的参数说明如下：
语法：ipnat inside source list access-list-number {pool pool-name | interfaceinterface-id} [overload]
参数
access-list-number：访问控制列表的表号。它指定由哪个访问控制列表来定义源地址的规则.
pool-name：IP地址池名字。该地址池定义了用于NAT转换的内部全局地址。
interface-id：接口号。指定用该接口的IP地址作为内部全局地址。
overload：启用端口复用，使每个全局地址可以和多个本地地址建立映射，在多对一的nat转换中才会使用overload，以使多个地址同时通过一个nat地址来通信，如果不加此命令则一个时间片内只有一条内部地址可以通信。此命令在nat地址下加子接口。

//配置静态地址
R1(config)#ip route 0.0.0.0 0.0.0.0 13.1.1.3

R2

/配置ACL，对IPSec VPN的流量不做NAT/
R2(config)#access-list 100 deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255     
R2(config)#access-list 100 permit ip any any

//设置内外口
R2(config)#int fa0/1
R2(config-if)#ip nat outside 
R2(config-if)#int fa 0/0
R2(config-if)#ip nat inside

R2(config)#ip nat inside source list 100 interface fastEthernet 0/1 overload 

//配置静态地址
R2(config)#ip route 0.0.0.0 0.0.0.0 23.1.1.3 

在R1、R2上配置IPSec VPN

R1

/ISAKMP/IKE阶段1的配置，配置管理连接/
R1(config)#crypto isakmp policy 1    /配置管理连接的安全策略/
R1(config-isakmp)#encr 3des  /加密算法使用3des/
R1(config-isakmp)#hash md5  /hash算法使用3des/
R1(config-isakmp)#authentication pre-share  /采用预共享秘钥方式认证/
R1(config)#crypto isakmp key 6 cisco address 23.1.1.2 /配置预共享秘钥/
R1(config-isakmp)#exit

/ISAKMP/IKE阶段2的配置，配置数据连接/
R1(config)#crypto ipsec transform-set myset esp-3des  /定义保护数据的安全协议/
R1(config)#access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 /定义触发VPN的流量/
R1(config)#crypto map mymap 1 ipsec-isakmp   /创建map，关联阶段2的数据连接的安全协议/
R1(config-crypto-map)#set peer 23.1.1.2   /指定VPN对等体/
R1(config-crypto-map)#set transform-set myset 
R1(config-crypto-map)#match address 101
R1(config-crypto-map)#exit

R1(config)#int fa0/1
R1(config-if)#crypto map mymap  /在接口上应用/

R2

/ISAKMP/IKE阶段1的配置，配置管理连接/
R2(config)#crypto isakmp policy 1    /配置管理连接的安全策略/
R2(config-isakmp)#encr 3des  /加密算法使用3des/
R2(config-isakmp)#hash md5  /hash算法使用3des/
R2(config-isakmp)#authentication pre-share  /采用预共享秘钥方式认证/
R2(config)#crypto isakmp key 6 cisco address 13.1.1.1 /配置预共享秘钥/

/ISAKMP/IKE阶段2的配置，配置数据连接/
R2(config)#crypto ipsec transform-set myset esp-3des  /定义保护数据的安全协议/
R2(config)#access-list 101 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255 /定义触发VPN的流量/
R1(config)#crypto map mymap 1 ipsec-isakmp   /创建map，关联阶段2的数据连接的安全协议/
R2(config-crypto-map)#set peer 13.1.1.1   /指定VPN对等体/
R2(config-crypto-map)#set transform-set myset 
R2(config-crypto-map)#match address 101
R2(config-crypto-map)#exit

R1(config)#int fa0/1
R1(config-if)#crypto map mymap  /在接口上应用/

测试

验证NAT

PC1#ping 3.3.3.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 32/43/52 ms
R1#show ip nat translations 
Pro Inside global      Inside local       Outside local      Outside global
icmp 13.1.1.1:1        192.168.1.2:1      3.3.3.3:1          3.3.3.3:1

PC2#ping 3.3.3.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 80/94/104 ms
R2#show ip nat translations 
Pro Inside global      Inside local       Outside local      Outside global
icmp 23.1.1.2:0        192.168.2.2:0      3.3.3.3:0          3.3.3.3:0

验证VPN连通性

R1#clear ip nat translation *
PC1#ping 192.168.2.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.2, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 56/348/1192 ms

R1#show ip nat translations                           
//NAT转换表项是空的，表面VPN流量没有经过NAT转换

R2#clear ip nat translation *
PC2#ping 192.168.1.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 60/64/72 ms

R2#show ip nat translations  

查看阶段1的IKE策略

R1#show crypto isakmp policy

Global IKE policy
Protection suite of priority 1
        encryption algorithm:   Three key triple DES
        hash algorithm:         Message Digest 5
        authentication method:  Pre-Shared Key
        Diffie-Hellman group:   #1 (768 bit)
        lifetime:               86400 seconds, no volume limit
Default protection suite
        encryption algorithm:   DES - Data Encryption Standard (56 bit keys).
        hash algorithm:         Secure Hash Standard
        authentication method:  Rivest-Shamir-Adleman Signature
        Diffie-Hellman group:   #1 (768 bit)
        lifetime:               86400 seconds, no volume limit
R2#show crypto isakmp policy

Global IKE policy
Protection suite of priority 1
        encryption algorithm:   Three key triple DES
        hash algorithm:         Message Digest 5
        authentication method:  Pre-Shared Key
        Diffie-Hellman group:   #1 (768 bit)
        lifetime:               86400 seconds, no volume limit
Default protection suite
        encryption algorithm:   DES - Data Encryption Standard (56 bit keys).
        hash algorithm:         Secure Hash Standard
        authentication method:  Rivest-Shamir-Adleman Signature
        Diffie-Hellman group:   #1 (768 bit)
        lifetime:               86400 seconds, no volume limit

查看阶段1是否协商成功

R1#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
23.1.1.2        13.1.1.1        QM_IDLE           1002    0 ACTIVE

IPv6 Crypto ISAKMP SA
R2#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
23.1.1.2        13.1.1.1        QM_IDLE           1001    0 ACTIVE

IPv6 Crypto ISAKMP SA

查看阶段2的IPSec传输集安全协议

R1#show crypto ipsec transform-set
Transform set myset: { esp-3des  } 
   will negotiate = { Tunnel,  }, 
R2#show crypto ipsec transform-set
Transform set myset: { esp-3des  } 
   will negotiate = { Tunnel,  }, 

查看数据连接SA的状态

R1#show crypto ipsec sa

interface: FastEthernet0/1
    Crypto map tag: mymap, local addr 13.1.1.1

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
   current_peer 23.1.1.2 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 18, #pkts encrypt: 18, #pkts digest: 18
    #pkts decaps: 18, #pkts decrypt: 18, #pkts verify: 18
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 12, #recv errors 0

     local crypto endpt.: 13.1.1.1, remote crypto endpt.: 23.1.1.2
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/1
     current outbound spi: 0x36685AEC(912808684)

     inbound esp sas:
      spi: 0x3FA4EAED(1067772653)
        transform: esp-3des ,
        in use settings ={Tunnel, }
        conn id: 5, flow_id: SW:5, crypto map: mymap
        sa timing: remaining key lifetime (k/sec): (4492090/3177)
        IV size: 8 bytes
        replay detection support: N
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x36685AEC(912808684)
        transform: esp-3des ,
        in use settings ={Tunnel, }
        conn id: 6, flow_id: SW:6, crypto map: mymap
        sa timing: remaining key lifetime (k/sec): (4492090/3177)
        IV size: 8 bytes
        replay detection support: N
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

R2#show crypto ipsec sa

interface: FastEthernet0/1
    Crypto map tag: mymap, local addr 23.1.1.2

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
   current_peer 13.1.1.1 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 14, #pkts encrypt: 14, #pkts digest: 14
    #pkts decaps: 14, #pkts decrypt: 14, #pkts verify: 14
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 23.1.1.2, remote crypto endpt.: 13.1.1.1
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/1
     current outbound spi: 0x3FA4EAED(1067772653)

     inbound esp sas:
      spi: 0x36685AEC(912808684)
        transform: esp-3des ,
        in use settings ={Tunnel, }
        conn id: 1, flow_id: SW:1, crypto map: mymap
        sa timing: remaining key lifetime (k/sec): (4500995/3171)
        IV size: 8 bytes
        replay detection support: N
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x3FA4EAED(1067772653)
        transform: esp-3des ,
        in use settings ={Tunnel, }
        conn id: 2, flow_id: SW:2, crypto map: mymap
        sa timing: remaining key lifetime (k/sec): (4500995/3171)
        IV size: 8 bytes
        replay detection support: N
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

查看Crypto map

R1#show crypto map
Crypto Map "mymap" 1 ipsec-isakmp
        Peer = 23.1.1.2
        Extended IP access list 101
            access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
        Current peer: 23.1.1.2
        Security association lifetime: 4608000 kilobytes/3600 seconds
        PFS (Y/N): N
        Transform sets={ 
                myset, 
        }
        Interfaces using crypto map mymap:
                FastEthernet0/1
R2#show crypto map
Crypto Map "mymap" 1 ipsec-isakmp
        Peer = 13.1.1.1
        Extended IP access list 101
            access-list 101 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
        Current peer: 13.1.1.1
        Security association lifetime: 4608000 kilobytes/3600 seconds
        PFS (Y/N): N
        Transform sets={ 
                myset, 
        }
        Interfaces using crypto map mymap:
                FastEthernet0/1